Re: [Samba] BIND-DLZ refuses to update

2012-10-01 Thread Matthieu Patou 

On 09/29/2012 03:26 AM, Andrew Bartlett wrote:

On Sat, 2012-09-29 at 14:06 +0400, Dmitry Khromov wrote:

On Sat, 29 Sep 2012 13:21:21 +1000
Andrew Bartlett abart...@samba.org wrote:


The only suggestion I have here is to try turning up the debug level in
the smb.conf
named[12365]: client 192.168.1.32#1039: view realdns: update 
'klin.kifato-mk.com/IN' denied

Excuse me, should had it done in the first place.
# sbin/samba -d 10 -i -M single 2 /tmp/smb_err.log | tee /tmp/smb_stdout.log
...
Kerberos: TGS-REQ authtime: 2012-09-29T13:39:44 starttime: 2012-09-29T13:39:47 
endtime: 2012-09-29T23:39:44 renew till: unset
Received krb5 UDP packet of length 160 from ipv4:192.168.1.31:53550
Received KDC packet of length 156 from ipv4:192.168.1.31:53550
Kerberos: AS-REQ na...@klin.kifato-mk.com from ipv4:192.168.1.31:53550 for 
krbtgt/klin.kifato-mk@klin.kifato-mk.com



Kerberos: UNKNOWN -- na...@klin.kifato-mk.com: no such entry found in hdb
/usr/local/samba/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is 
unacceptable

For some unknown reason nsupdate is attempting to get a ticket as user
'named'.  This is why it fails.
What's the result of a SOA search on your domain name ? (ie. host -t SOA 
klin.kiato-mk.com) ?
It seems that nsupdate use the MNAME result (the first word in the 
result) as the principal for which it should get a ticket.


Matthieu


--
Matthieu Patou
Samba Team
http://samba.org

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] BIND-DLZ refuses to update

2012-09-29 Thread Dmitry Khromov 
On Sat, 29 Sep 2012 13:21:21 +1000
Andrew Bartlett abart...@samba.org wrote:

 The only suggestion I have here is to try turning up the debug level in
 the smb.conf
 named[12365]: client 192.168.1.32#1039: view realdns: update 
 'klin.kifato-mk.com/IN' denied

Excuse me, should had it done in the first place.
# sbin/samba -d 10 -i -M single 2 /tmp/smb_err.log | tee /tmp/smb_stdout.log
...
Kerberos: TGS-REQ authtime: 2012-09-29T13:39:44 starttime: 2012-09-29T13:39:47 
endtime: 2012-09-29T23:39:44 renew till: unset
Received krb5 UDP packet of length 160 from ipv4:192.168.1.31:53550
Received KDC packet of length 156 from ipv4:192.168.1.31:53550
Kerberos: AS-REQ na...@klin.kifato-mk.com from ipv4:192.168.1.31:53550 for 
krbtgt/klin.kifato-mk@klin.kifato-mk.com
ldb: ldb_trace_request: SEARCH
 dn: rootDSE
 scope: sub
 expr: ((objectClass=user)(userPrincipalName=na...@klin.kifato-mk.com))
 control: 1.2.840.113556.1.4.1340  crit:1  data:yes

ldb: ldb_trace_request: (resolve_oids)-search
ldb: ldb_trace_next_request: (rootdse)-search
ldb: ldb_trace_next_request: (schema_load)-search
ldb: ldb_trace_next_request: (lazy_commit)-search
ldb: ldb_trace_next_request: (dirsync)-search
ldb: ldb_trace_next_request: (paged_results)-search
ldb: ldb_trace_next_request: (ranged_results)-search
ldb: ldb_trace_next_request: (anr)-search
ldb: ldb_trace_next_request: (server_sort)-search
ldb: ldb_trace_next_request: (asq)-search
ldb: ldb_trace_next_request: (extended_dn_in)-search
ldb: ldb_trace_next_request: (descriptor)-search
ldb: ldb_trace_next_request: (acl)-search
ldb: ldb_trace_next_request: (aclread)-search
ldb: ldb_trace_next_request: (operational)-search
ldb: ldb_trace_next_request: (rdn_name)-search
ldb: ldb_trace_next_request: (extended_dn_out_ldb)-search
ldb: ldb_trace_next_request: (show_deleted)-search
ldb: ldb_trace_next_request: (partition)-search
ldb: partition_request() - (metadata partition)
ldb: ldb_trace_next_request: (tdb)-search
ldb: ldb_trace_next_request: (aclread)-search
ldb: ldb_trace_next_request: (operational)-search
ldb: ldb_trace_next_request: (rdn_name)-search
ldb: ldb_trace_next_request: (extended_dn_out_ldb)-search
ldb: ldb_trace_next_request: (show_deleted)-search
ldb: ldb_trace_next_request: (partition)-search
ldb: partition_request() - (metadata partition)
ldb: ldb_trace_next_request: (tdb)-search
ldb: partition_request() - (metadata partition)
ldb: ldb_trace_next_request: (schema_data)-search
ldb: ldb_trace_next_request: (tdb)-search
ldb: partition_request() - (metadata partition)
ldb: ldb_trace_next_request: (tdb)-search
ldb: partition_request() - (metadata partition)
ldb: ldb_trace_next_request: (tdb)-search
ldb: partition_request() - (metadata partition)
ldb: ldb_trace_next_request: (tdb)-search
ldb: partition_request() - (metadata partition)
ldb: ldb_trace_next_request: (tdb)-search
ldb: ldb_trace_response: DONE
error: 0

ldb: ldb_trace_request: SEARCH
 dn: CN=Partitions,CN=Configuration,DC=klin,DC=kifato-mk,DC=com
 scope: one
 expr: 
((objectClass=crossRef)(|(dnsRoot=KLIN.KIFATO-MK.COM)(netbiosName=KLIN.KIFATO-MK.COM))(systemFlags:1.2.840.113556.1.4.803:=2))
 control: NONE

ldb: ldb_trace_request: (resolve_oids)-search
ldb: ldb_trace_next_request: (rootdse)-search
ldb: ldb_trace_next_request: (schema_load)-search
ldb: ldb_trace_next_request: (lazy_commit)-search
ldb: ldb_trace_next_request: (dirsync)-search
ldb: ldb_trace_next_request: (paged_results)-search
ldb: ldb_trace_next_request: (ranged_results)-search
ldb: ldb_trace_next_request: (anr)-search
ldb: ldb_trace_next_request: (server_sort)-search
ldb: ldb_trace_next_request: (asq)-search
ldb: ldb_trace_next_request: (extended_dn_in)-search
ldb: ldb_trace_next_request: (descriptor)-search
ldb: ldb_trace_next_request: (acl)-search
ldb: ldb_trace_next_request: (aclread)-search
ldb: ldb_trace_next_request: (operational)-search
ldb: ldb_trace_next_request: (rdn_name)-search
ldb: ldb_trace_next_request: (extended_dn_out_ldb)-search
ldb: ldb_trace_next_request: (show_deleted)-search
ldb: ldb_trace_next_request: (partition)-search
ldb: partition_request() - (metadata partition)
ldb: ldb_trace_next_request: (tdb)-search
ldb: ldb_trace_next_request: (aclread)-search
ldb: ldb_trace_next_request: (operational)-search
ldb: ldb_trace_next_request: (rdn_name)-search
ldb: ldb_trace_next_request: (extended_dn_out_ldb)-search
ldb: ldb_trace_next_request: (show_deleted)-search
ldb: ldb_trace_next_request: (partition)-search
ldb: partition_request() - (metadata partition)
ldb: ldb_trace_next_request: (tdb)-search
ldb: ldb_trace_response: ENTRY
dn: CN=MK_KLIN,CN=Partitions,CN=Configuration,DC=klin,DC=kifato-mk,DC=com


ldb: ldb_trace_response: DONE
error: 0

ldb: ldb_trace_request: SEARCH
 dn: CN=Partitions,CN=Configuration,DC=klin,DC=kifato-mk,DC=com
 scope: one
 expr: 
(distinguishedName=CN=MK_KLIN,CN=Partitions,CN=Configuration,DC=klin,DC=kifato-mk,DC=com)
 attr: ncName
 attr: dnsRoot
 control: NONE

ldb: ldb_trace_request: (resolve_oids)-search

Re: [Samba] BIND-DLZ refuses to update

2012-09-29 Thread Andrew Bartlett 
On Sat, 2012-09-29 at 14:06 +0400, Dmitry Khromov wrote:
 On Sat, 29 Sep 2012 13:21:21 +1000
 Andrew Bartlett abart...@samba.org wrote:
 
  The only suggestion I have here is to try turning up the debug level in
  the smb.conf
  named[12365]: client 192.168.1.32#1039: view realdns: update 
  'klin.kifato-mk.com/IN' denied
 
 Excuse me, should had it done in the first place.
 # sbin/samba -d 10 -i -M single 2 /tmp/smb_err.log | tee /tmp/smb_stdout.log
 ...
 Kerberos: TGS-REQ authtime: 2012-09-29T13:39:44 starttime: 
 2012-09-29T13:39:47 endtime: 2012-09-29T23:39:44 renew till: unset
 Received krb5 UDP packet of length 160 from ipv4:192.168.1.31:53550
 Received KDC packet of length 156 from ipv4:192.168.1.31:53550
 Kerberos: AS-REQ na...@klin.kifato-mk.com from ipv4:192.168.1.31:53550 for 
 krbtgt/klin.kifato-mk@klin.kifato-mk.com


 Kerberos: UNKNOWN -- na...@klin.kifato-mk.com: no such entry found in hdb
 /usr/local/samba/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is 
 unacceptable 

For some unknown reason nsupdate is attempting to get a ticket as user
'named'.  This is why it fails.

Now, of course you want to know why it does this, but as far as I can
see it's internal to BIND's nsupdate utility.  For a number of reasons
we expect to replace this with a Samba-internal command/library soon,
but not before Samba 4.0. 

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] BIND-DLZ refuses to update

2012-09-28 Thread Andrew Bartlett 
On Sat, 2012-09-29 at 04:10 +0400, Dmitry Khromov wrote:
 Hello.
 
 We have a couple of questions regarding Samba 4.1.0pre1-GIT-aad669b running 
 on Gentoo GNU/Linux

 2) We have a problem with Samba refusing to update DNS records with Gentoo's 
 BIND 9.9.1_p3 (GSSAPI, DLZ)
 BIND log says:
 ...
 named[12365]: samba_dlz: configured writeable zone 'klin.kifato-mk.com'
 named[12365]: samba_dlz: configured writeable zone '172.in-addr.arpa'
 ...
 named[12365]: samba b9_putrr: unhandled record type 65281
 named[12365]: samba_dlz: starting transaction on zone klin.kifato-mk.com
 named[12365]: client 192.168.1.32#1039: view realdns: update 
 'klin.kifato-mk.com/IN' denied
 named[12365]: samba_dlz: cancelling transaction on zone klin.kifato-mk.com
 log.samba says:
 ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
 /usr/local/samba/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is 
 unacceptable 
 
 Related parts of named.conf:
 options {
  ...
  tkey-gssapi-keytab /usr/local/samba/private/dns.keytab;
  ...
 };
 view realdns {
  ...
  dlz AD DNS Zones {
   database dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so;
  };
  ...
 };
 

The only suggestion I have here is to try turning up the debug level in
the smb.conf, in the dope that we can get more detail on:

named[12365]: client 192.168.1.32#1039: view realdns: update
'klin.kifato-mk.com/IN' denied

Sorry,

Andrew Bartlett
-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba